Merge pull request #774 from stackhpc/fix/caas-secrets

bertiethorpe · web-flow · commit bc0c66c75c7b · 2025-09-10T00:14:17.000+01:00
Make CaaS specific role: `persist_openhpc_secrets` idempotent
diff --git a/ansible/roles/persist_openhpc_secrets/tasks/main.yml b/ansible/roles/persist_openhpc_secrets/tasks/main.yml
@@ -14,14 +14,18 @@
   loop:
     - "{{ appliances_state_dir }}/ansible.facts.d"
     - "/etc/ansible/facts.d"
-    
+
+- name: Load existing OpenHPC secrets if present
+  ansible.builtin.setup:
+    filter: ansible_local
+  when: openhpc_secrets_stat.stat.exists
+
 - name: Write OpenHPC secrets
   template:
     src: openhpc_secrets.fact
     dest: "{{ appliances_state_dir }}/ansible.facts.d/openhpc_secrets.fact"
     owner: root
     mode: 0600
-  when: "not openhpc_secrets_stat.stat.exists"
 
 - name: Symlink persistent facts to facts_path
   file:
@@ -30,6 +34,6 @@
     dest: /etc/ansible/facts.d/openhpc_secrets.fact
     owner: root
     
-- name: Read facts
+- name: Refresh facts to pick up any new secrets
   ansible.builtin.setup:
     filter: ansible_local
diff --git a/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact b/ansible/roles/persist_openhpc_secrets/templates/openhpc_secrets.fact
@@ -1,9 +1,10 @@
 {
-  "vault_azimuth_user_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_grafana_admin_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_elasticsearch_admin_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_elasticsearch_kibana_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_mysql_root_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_mysql_slurm_password": "{{ lookup('password', '/dev/null') }}",
-  "vault_openhpc_mungekey": "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\s+', '') }}"
+  "vault_azimuth_user_password": "{{ ansible_local.openhpc_secrets.vault_azimuth_user_password | default(lookup('password', '/dev/null')) }}",
+  "vault_grafana_admin_password": "{{ ansible_local.openhpc_secrets.vault_grafana_admin_password | default(lookup('password', '/dev/null')) }}",
+  "vault_elasticsearch_admin_password": "{{ ansible_local.openhpc_secrets.vault_elasticsearch_admin_password | default(lookup('password', '/dev/null')) }}",
+  "vault_elasticsearch_kibana_password": "{{ ansible_local.openhpc_secrets.vault_elasticsearch_kibana_password | default(lookup('password', '/dev/null')) }}",
+  "vault_mysql_root_password": "{{ ansible_local.openhpc_secrets.vault_mysql_root_password | default(lookup('password', '/dev/null')) }}",
+  "vault_mysql_slurm_password": "{{ ansible_local.openhpc_secrets.vault_mysql_slurm_password | default(lookup('password', '/dev/null')) }}",
+  "vault_openhpc_mungekey": "{{ ansible_local.openhpc_secrets.vault_openhpc_mungekey | default(lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') | regex_replace('\\s+', '')) }}",
+  "vault_alertmanager_admin_password": "{{ ansible_local.openhpc_secrets.vault_alertmanager_admin_password | default(lookup('password', '/dev/null')) }}"
 }
diff --git a/environments/.caas/inventory/group_vars/all/cluster.yml b/environments/.caas/inventory/group_vars/all/cluster.yml
@@ -11,6 +11,7 @@ vault_elasticsearch_kibana_password: "{{ hostvars[groups['control'][0]].ansible_
 vault_mysql_root_password: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_mysql_root_password }}"
 vault_mysql_slurm_password: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_mysql_slurm_password }}"
 vault_openhpc_mungekey: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_openhpc_mungekey }}"
+vault_alertmanager_admin_password: "{{ hostvars[groups['control'][0]].ansible_local.openhpc_secrets.vault_alertmanager_admin_password }}"
 
 # Override this to cope with the case where the podman group just doesn't exist
 appliances_local_users_podman_enable: "{{ groups.get('podman', []) | length > 0 }}"
